AS-301d · Module 1

Indirect Injection at Scale

4 min read

Indirect injection becomes exponentially more dangerous when AI agents operate autonomously over external data at scale. An agent that reads 500 emails per day encounters 500 potential injection vectors per day. An agent that summarizes 100 web pages per day encounters 100 potential injection vectors per day. The attack surface is not one malicious input — it is the cumulative volume of uncontrolled content that the agent processes as part of its normal operation.

The scaling challenge changes the defense strategy. You cannot manually review every email, every web page, and every uploaded document. The defense must be automated, fast, and tolerant of false negatives — because at 500 inputs per day, a 99% detection rate still means five injections per day that pass through undetected. This is why architectural containment is more important than detection at scale. You assume some injections will succeed and architect so that success has limited impact.

Do This

Treat every external data source as a potential injection vector — emails, web pages, uploaded files, API responses
Separate the processing of untrusted content from the execution of privileged actions — the agent that reads the email should not be the agent that sends the reply
Rate-limit the actions an agent can take per session to contain the impact of a successful injection

Avoid This

Trust external content because it comes from a "trusted" source — the source may be trusted but the content is not
Allow a single agent to both process untrusted data and execute privileged actions — separation of concerns is separation of attack surfaces
Assume detection will catch every injection — at scale, some will pass through, and your architecture must survive that